Data privacy is a major concern in any industry where majority of user information deal with sensitive information for example, user details, credit card number, CVV number, account number, and the like, which essentially indicate use of sensitive content connected with data privacy. In a Payment Card Industry (PCI) scenario it is very common to have a phone based customer care support for authentication and query processing, wherein Customer Care Representative (CCR) or agent normally require customer's credit card number and some additional personal information to validate them. Taking into account budget constraints and profitability margins, these setups normally have few or negligible controls which discourage the agents from using customer data for malicious use.
Moreover, for compliance, audit and training purposes these setups employ call recording facilities, which in turn increase data leakage issue manifolds. Customer access their account information or perform transactions either through web portals or interactive voice response (IVR) gateways. Web portal network traffic is normally encrypted and transmitted on secure channels. Apart from the customer, no other human involvement is required. Although this is not applicable to an IVR based system, sometimes, depending on the transaction type or query requirement, an agent needs to be present to assist the customer. The agent can either request the customer to input the credit card number using keypad, which consists of hi band DTMF signals to convey data, or speak it out. In both the input mediums the information being conveyed is structured and is of limited dictionary size. Typically, in the PCI customer care support, authentication and query processing is normally backed by a web or desktop based application, wherein additional customer details are entered, for example, date of birth or phone number, for verification purposes, or customer specific information is displayed for further processing and query answering. This may lead to privacy attacks thereby resulting in targeted advertisement, personal data loss, monetary loss, and, high chance of identity theft for customer. Similarly, the fallout of such data leakage leads to the service provider loss in reputation, customer loss and monetary losses in the form of settlements.